b'Securities and Exchange\n    Commission\n   Office of Inspector General\nDuring the first half of fiscal year 2005, the Office of Inspector\nGeneral assisted the Commission in its efforts to:\n\n    - Strengthen Commission software management and\n          controls,\n\n    - Improve the planning of investment management filing\n          reviews,\n\n    - Enhance the integrity of the Commission and its staff by\n         investigating allegations of misconduct,\n\n    - Improve contracting controls over task orders under\n          agreements with other federal agencies,\n\n    - Enhance the management of information technology in\n         Commission field offices,\n\n    - Ensure that required steps for reviewing disgorgement\n         waivers are completed,\n\n    - Comply with the provisions of the Federal Information\n         Security Management Act,\n\n    - Properly manage wireless communication devices,\n\n    - Complete an \xe2\x80\x9cAs-Is\xe2\x80\x9d enterprise architecture in compliance\n         with federal requirements, and\n\n    - Assure the effectiveness of field office administrative\n          controls.\n\x0c                                                                                      PAGE 2\n\n\n\n\n                                  Executive Summary\nDuring this period (October 1, 2004 to March 31, 2005), the Office of Inspector General\n(Office) issued ten audit reports and one special project report. These evaluations focused on\ninformation technology contractor billings; enterprise architecture; enforcement\ndisgorgement waivers; the planning of investment management filing reviews; compliance\nwith the Federal Information Security Management Act; information technology\nmanagement in the Northeast and Southeast Regional Offices; software management;\nadministrative controls in the Fort Worth and Salt Lake District Offices; and management\nof wireless communication devices. This work is described in more detail in the Audit\nProgram section below.\nEleven investigations were closed during the period. Two subjects were referred to the\nDepartment of Justice, which declined prosecution of these subjects. Four subjects were\nreferred to the Commission. One of these subjects was counseled; the other three subjects are\nawaiting disposition. In addition, one subject referred during a prior period resigned;\nanother was removed; and a third was suspended. The Investigative Program section below\ndescribes the significant cases closed during the period.\nInformation technology (IT) management had been previously reported as a significant\nproblem. During this period, the Commission continued to improve its IT management, but\nsignificant weaknesses remain. We intend to maintain our audit focus in this important\narea.\nAn audit completed in a prior period found that Commission financial management controls\nfor fiscal year 2002 were effective in all material respects except for controls over property\naccountability, accounting and control of disgorgements, information system and security\nprogram controls, and the Disgorgement and Penalties Tracking System. Accordingly, we\nreported these exceptions, taken together, as a significant problem. Several high-level task\nforces have taken steps or are currently taking steps to correct these weaknesses. Also, the\nGovernment Accountability Office is following-up on these areas as part of its audit of the\nCommission\'s financial statements.\nNo management decisions were revised during the period. The Office of Inspector General\nagrees with all significant management decisions regarding audit recommendations.\n\n\n\n                                            Audit Program\nThe Office issued ten audit reports and one special project report during the reporting\nperiod. These documents contained a total of 38 recommendations, which are further\nsummarized below. Management generally concurred with the recommendations, and in\nmany cases took corrective actions during the audits.\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                   AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                    PAGE 3\n\n\nIT CONTRACTOR BILLINGS (AUDIT 380)\nAn OIG contractor evaluated the Commission\xe2\x80\x99s internal controls for obtaining certain\ninformation technology (IT) support services. The IT support services were obtained under\nan agreement (task orders) with the Millennium Services Center (MSC) of the U.S.\nDepartment of Transportation, and were provided by an MSC contractor (Science\nApplications International Corporation or SAIC).\nWe found that for the period covered by the review, the Commission had not established\nadequate controls for obtaining IT support services using a customer service agreement\nwith MSC. Commission officials indicated that the controls improved during the course of\nthe contract, including improvements made subsequent to the review period.\nSpecific control weaknesses with respect to the MSC customer service agreements included:\n    \xe2\x80\xa2    Task orders were not sufficiently detailed to fully describe the Commission\xe2\x80\x99s\n         expectations and the oversight responsibilities of the MSC and the Commission.\n    \xe2\x80\xa2    MSC applied a management fee on SAIC invoices before sending them to the\n         Commission, but the Commission\xe2\x80\x99s Contracting Officer\xe2\x80\x99s Technical Representative\n         (COTR) was unaware of the amount or basis for the fees.\n    \xe2\x80\xa2    The Commission\xe2\x80\x99s COTR certified invoices without sufficient supporting\n         documentation. This weakness related to the decision to have MSC be responsible\n         for contract administration.\nWe recommended that the Commission enhance existing policies, procedures, and COTR\ntraining to improve the controls over task orders under agreements with other federal\nagencies. We also recommended that the Commission request that the Defense Contract\nAudit Agency (the cognizant audit agency for SAIC) perform an audit of specified task\norders under the MSC agreement.\n\n\nENTERPRISE ARCHITECTURE (AUDIT 381)\nWe contracted with an independent accounting firm to perform a review of the\nCommission\xe2\x80\x99s progress in establishing an enterprise architecture as required by applicable\nguidance. The audit work was terminated early for contractual reasons.\nThe contractor prepared an Enterprise Architecture (EA) Management Maturity Scorecard\n(as of April 15, 2004) which showed the extent of the Commission\xe2\x80\x99s progress. We found that\nthe Commission had taken several steps towards developing and documenting an \xe2\x80\x9cas-is\xe2\x80\x9d\narchitecture in accordance for the most part with the Federal Enterprise Architecture\n(FEA).\nWe recommended that the Office of Information Technology (OIT) obtain business owner\nsupport for the \xe2\x80\x9cas-is\xe2\x80\x9d enterprise architecture; establish a communication strategy to\nintroduce EA successfully throughout the Commission; establish a plan to ensure proper\nproject management, configuration management, quality assurance, risk management, and\nsecurity; and complete the "as-is" architecture in accordance with the FEA.\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                 AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                    PAGE 4\n\n\nENFORCEMENT DISGORGEMENT WAIVERS (AUDIT 384)\nDisgorgements represent repayment of ill-gotten gains resulting from individuals violating\nthe federal securities laws. The Commission seeks disgorgements to ensure that securities\nlaw violators do not profit from their illegal activity. Payment of a disgorgement can be\neither completely or partially waived based on a defendant\'s sworn representation of\nfinancial condition.\nAs a follow-up to a prior audit (No. 311), we evaluated the adequacy of Enforcement\'s\nwritten procedures for waivers and the extent of compliance with those procedures. In\nresponse to the prior audit, the Division of Enforcement (Enforcement) issued guidance and\ntook other steps to improve the waiver process.\nWe found that further improvements in the controls and guidance for reviewing\ndisgorgement waivers are needed. Our recommendations included implementing controls\nto ensure that required steps for waivers are completed; clarifying the guidance; and\ntraining the staff.\n\n\nPLANNING INVESTMENT MANAGEMENT FILING REVIEWS\n(AUDIT 387)\nThe Division of Investment Management (IM) reviews investment company filings for\ncompliance with disclosure rules. IM\xe2\x80\x99s general goals for this review include ensuring that\ninvestment companies fully disclose their policies, procedures and risk and that their\nproposed activities are consistent with the law. We evaluated the internal controls\nregarding filing review planning by IM.\nWe found that IM could improve controls over their planning of filing reviews by identifying\nand measuring outcomes from filing reviews. Our other recommendations included\ndeveloping filing review objectives; considering ways to better analyze outcome data (e.g.,\nthrough a new or improved database); training staff on outcome measures; improving\ncommunication between offices within IM; and including compliance monitoring plans in\naction memoranda to the Commission.\n\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT-2004\n(SPECIAL PROJECT NO. 391)\nWe hired an independent CPA firm to evaluate the Commission\xe2\x80\x99s information systems\nsecurity program for compliance with the Federal Information Security Management Act\n(FISMA). We provided a response to Office of Management and Budget (OMB) in\ncompliance with OMB Memorandum M-04-25.\nWe found that a material weakness and two significant deficiencies identified in a prior\nyear remained unresolved. The material weakness related to weak security controls within\nthe Commission\xe2\x80\x99s financial management systems. The two significant deficiencies related\nto failure to maintain a Plan of Actions and Milestones (POA&M) process, and IT security\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                 AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                    PAGE 5\n\n\ncosts not being properly identified by project, tracked, and reported in the Commission\xe2\x80\x99s\nExhibits 53 and 300.\nAlso, we found that the Commission was not substantially in compliance with OMB\nCircular A-130, Appendix III; FISMA requirements; and National Institute of Standards\nand Technology guidance. Several information security issues from prior years had not yet\nbeen resolved.\nThe Government Accountability Office audited the Commission\'s financial statements for\nthe first time in fiscal year 2004. During this audit, numerous findings relating to\ninformation security were identified, including not certifying and accrediting major systems\nand not creating contingency plans for major applications. These findings were considered\nduring our evaluation.\n\n\nNERO IT MANAGEMENT (AUDIT 392)\nSERO IT MANAGEMENT (AUDIT 400)\nAn OIG contractor reviewed Information Technology (IT) management at the Commission\xe2\x80\x99s\nNortheast and Southeast Regional Offices (NERO and SERO). Our objectives were to\nevaluate the adequacy of NERO\xe2\x80\x99s and SERO\xe2\x80\x99s internal controls for IT management and\ntheir compliance with applicable guidance. A primary focus of the review was IT security.\nWe briefed Commission management on our detailed findings and recommendations. We\nfound that IT management at NERO and SERO needed to be improved, and brought into\ncompliance with Commission guidance. The contractor identified numerous risks in the\noffices\xe2\x80\x99 IT security awareness, practices, and procedures; building security; organizational\nstructure; and coordination with the Office of Information Technology (OIT). As part of its\nresponse, OIT has scheduled IT management reviews in the remainder of the Commission\'s\nfield offices.\n\n\nSOFTWARE MANAGEMENT (AUDIT 393)\nUnder a task order with our office, an OIG contractor reviewed the Commission\xe2\x80\x99s\nmanagement of its software. The review found that some controls and best practices had\nbeen established, including a configuration management function and the tracking of some\nsoftware.\nWe also found that the Commission\xe2\x80\x99s controls needed to be improved to meet accepted\ncriteria (the Capability Maturity Model), and to be in full compliance with applicable laws\nand regulations. Our testing found numerous instances of unapproved software on\nCommission computers and file servers.\nWe recommended that the Office of Information Technology assign responsibility and\nimprove processes for software management. Our findings related to policy guidance;\ncontrols; record keeping; inventories; training; contractors; and performance measures.\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                 AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                      PAGE 6\n\n\nFORT WORTH DISTRICT OFFICE (AUDIT 396)\nSALT LAKE DISTRICT OFFICE (AUDIT 397)\nWe reviewed selected financial and administrative controls in the Commission\'s District\nOffices in Forth Worth, TX (FWDO) and Salt Lake City, UT (SLDO). The audit scope\nincluded the following financial and administrative functions: time and attendance;\npurchasing; travel; property management; and budgeting. The purpose of these audits was\nto provide the Commission with negative assurance that the internal controls were\nadequate, being implemented economically and efficiently, and in compliance with\nCommission policies and procedures.\nDuring the limited audit described above, no material weaknesses in the FWDO\'s and the\nSLDO\xe2\x80\x99s financial and administrative controls came to our attention. We informally\ndiscussed a number of non-material control weaknesses with FWDO and the SLDO, who\nagreed to implement corrective actions.\n\n\nMANAGEMENT OF WIRELESS COMMUNICATION DEVICES\n(AUDIT 398)\nCommission Regulation SECR 24-5.2 governs the use of Personal Digital Assistants (PDAs)\nand similar technologies by Commission staff and contractors. We reviewed the adequacy\nof this regulation and the extent of compliance with certain parts of it. We also evaluated\nwhether the management of wireless communication devices needed to be improved.\nWe found that the Commission can improve its management of wireless communication\ndevices. The regulation covering PDAs can be expanded or supplemented to explicitly\ninclude cell phones and pagers, which are similar wireless devices.\nAlso, we found that the offices and divisions we surveyed had insufficient awareness of the\nPDA regulation, and had not done enough to implement it. Most users had not signed\nservice agreements, office heads had not issued guidance on appropriate use of the devices,\nand unannounced audits of PDA use had not been performed. Also, the Office of\nInformation Technology (which manages the program) did not have adequate inventory\nrecords for PDAs. The number of unassigned PDAs (which the Commission is paying for)\ncould exceed Commission needs.\n\n\n\n                                     Investigative Program\nEleven investigations were closed during the period. Two subjects were referred to the\nDepartment of Justice, which declined prosecution of these subjects. Four subjects were\nreferred to the Commission. One subject of these subjects was counseled; the other three\nsubjects are awaiting disposition. In addition, one subject referred during a prior period\nresigned; another was removed; and a third was suspended.\nThe most significant cases closed during the period are described below.\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                   AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                      PAGE 7\n\n\nTRAVEL FRAUD\nAn investigation found evidence that a staff member had submitted numerous false or\ninflated claims for expense reimbursement on travel vouchers. Other evidence disclosed\nthat the employee failed to use a government credit card while on official travel, misused\nthe government transportation subsidy, received gifts from outside sources in violation of\nthe Government-wide Standards of Conduct, and abused time and attendance. The\nDepartment of Justice declined prosecution. Administrative action is pending.\n\n\nMISUSE OF POSITION\nAn Office investigation developed evidence that a senior official had engaged in conduct\nthat created the appearance that the official was using public office for the private gain of a\nrelative. We referred the matter for consideration of administrative action.\n\n\nUNAUTHORIZED DISCLOSURE\nThe Office investigated an allegation that a senior official had disclosed non-public\ninformation to an unauthorized person. The evidence developed during the investigation\nfailed to substantiate the allegation.\n\n\nINSIDER TRADING\nThe Office investigated an allegation that a staff member may have purchased stock based\nupon insider information. Evidence developed by a joint investigation conducted with\nCommission Enforcement staff failed to substantiate that the employee\xe2\x80\x99s trades were based\non insider information.\n\n\nPOST-EMPLOYMENT VIOLATION\nThe Office investigated an allegation that a former staff member had communicated with a\nCommission attorney on behalf of a client concerning a matter in which the former\nemployee had personally and substantially participated while employed at the Commission,\nin violation of the restrictions on post-employment communications with the employee\xe2\x80\x99s\nformer agency. The evidence developed failed to substantiate that the former employee had\nviolated the post-employment restrictions.\n\n\n\n                                      Significant Problems\nNo new significant problems were identified during the period.\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                   AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                        PAGE 8\n\n\n\n            Significant Problems Identified Previously\n\nFINANCIAL MANAGEMENT SYSTEMS CONTROLS\nAn OIG contractor completed an audit of Commission financial management systems\ncontrols during a prior period (Audit No. 362). That audit found that Commission financial\nmanagement controls for fiscal year 2002 were effective in all material respects except for\nthree material weaknesses and one material non-conformance. The exceptions concerned\nproperty accountability, accounting and control of disgorgements, information system and\nsecurity program controls, and the Disgorgement and Penalties Tracking System. We\nreported that, taken together, these financial management exceptions are a significant\nproblem for the Commission.\nManagement concurred with our recommendations to strengthen these financial controls,\nand several high-level task forces have taken actions or are taking actions to correct the\nweaknesses. The Government Accountability Office reviewed the corrective actions taken\nby the task forces as part of its audit of the Commission\xe2\x80\x99s fiscal year 2004 financial\nstatements.\n\n\nINFORMATION TECHNOLOGY MANAGEMENT\nSince April 1996, we have reported information technology (IT) management 1 as a\nsignificant problem based on weaknesses identified by several audits, investigations, and\nmanagement studies. Significant IT weaknesses of continuing concern include IT capital\ninvestment decision-making; information systems security; administration of IT contracts;\nIT project management; enterprise architecture management; strategic management of IT\nhuman capital; and management of software licenses.\nDuring this period, we completed audits on IT management in two regional offices; software\nmanagement; IT contractor billings; enterprise architecture; and wireless communication\ndevices, as well as an evaluation of the Commission\xe2\x80\x99s information security program\n(required by the Federal Information Security Management Act). See the Audit Program\nsection for more details.\nDuring this semi-annual period, the Office of Information Technology (OIT) continued to\ncorrect the Commission\xe2\x80\x99s IT weaknesses. OIT indicated that, among other steps, it:\n               \xe2\x80\xa2   Filled all of the 130 management and staff positions within the Office of\n                   Information Technology, including newly appointed senior managers and\n                   supporting staff overseeing capital planning and investment control,\n                   enterprise architecture, information security, and financial management;\n\n\n\n\n1\n    Formerly reported as Information Resources Management (IRM).\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                     AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                        PAGE 9\n\n\n              \xe2\x80\xa2    Instituted an IT policy framework to facilitate implementing, managing, and\n                   enforcing Commission-wide and OIT-specific IT governance responsibilities,\n                   workflows, and activities;\n\n              \xe2\x80\xa2    Instituted an integrated IT capital planning and investment control process\n                   to facilitate program-oriented budgeting, program planning and execution,\n                   and performance measurement;\n\n              \xe2\x80\xa2    Established a Certification and Accreditation Team, which is performing\n                   certifications on major Commission applications; and\n\n              \xe2\x80\xa2    Developed and implemented an integrated IT security monitoring capability,\n                   an employee security awareness program, and a detailed remediation plan to\n                   address a series of known security issues uncovered during a recent GAO\n                   audit.\n\nAlthough OIT continues to take action to correct the identified IT weaknesses, we still\nconsider IT management to be a significant problem. We intend to continue our oversight\nof this area.\n\n\n\n                                    Access to Information\nThe Office of Inspector General has received access to all information required to carry out\nits activities. No reports to the Chairman, concerning refusal of such information, were\nmade during the period.\n\n\n\n                                               Other Matters\n\nAUDIT OF COMMISSION FINANCIAL STATEMENTS\nUnder the Accountability of Tax Dollars Act of 2002, the Commission is now required to\nprepare audited financial statements. The Office of Management and Budget had waived\nthis requirement for fiscal years 2002 and 2003.\nThe U.S. Government Accountability Office is performing the initial financial statement\naudit of the Commission for fiscal year 2004, and is expected to perform the audit for fiscal\nyear 2005 and beyond.\n\n\nEXTERNAL COORDINATION\nThe Office actively participates in the activities of the Executive Council on Integrity and\nEfficiency (ECIE). The Inspector General attends ECIE meetings, is an active member of\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                     AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                PAGE 10\n\n\nits Financial Institutions Regulatory Committee, and serves as the ECIE member on the\nIntegrity Committee (established by Executive Order No. 12993).\nThe Deputy Inspector General is an active member of the Federal Audit Executive Council\n(FAEC). The FAEC considers audit issues relevant to the Inspector General community.\nThe Counsel to the Inspector General is an active member of the PCIE Council of Counsels.\nThe Council considers legal issues relevant to the Inspector General community.\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N               AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                     PAGE 11\n\n\n\n\n                                       Questioned Costs\n\n                                                                        DOLLAR VALUE\n                                                                       (IN THOUSANDS)\n\n\n                                                                    UNSUPPORTED            QUESTIONED\n                                                           NUMBER      COSTS                 COSTS\nA          For which no management decision\n           has been made by the\n           commencement of the reporting                        0           0                            0\n           period\n\nB          Which were issued during the\n           reporting period\n                                                            0           0                            0\n\n           Subtotals (A+B)                                      0           0                            0\n\nC          For which a management decision                      0           0                            0\n           was made during the reporting\n           period\n\n    (i)    Dollar value of disallowed costs                     0           0                            0\n\n    (ii)   Dollar value of costs not                            0       0                                0\n           disallowed\n\nD          For which no management                              0       0                                0\n           decision has been made by the end\n           of the period\n\n           Reports for which no management                      0       0                                0\n           decision was made within six\n           months of issuance\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                    AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                    PAGE 12\n\n\n\n\n                 Recommendations That Funds Be Put To\n                           Better Use\n                                                                      DOLLAR VALUE\n                                                           NUMBER    (IN THOUSANDS)\nA               For which no management decision\n                has been made by the commencement\n                                                                 1           132\n                of the reporting period\nB               Which were issued during the\n                reporting period\n                                                             0              0\n\n\n                Subtotals (A+B)                                  1           132\nC               For which a management decision                  0              0\n                was made during the period\n      (i)       Dollar value of recommendations that             0              0\n                were agreed to by management\n            -   Based on proposed management                     0              0\n                action\n            -   Based on proposed legislative action             0              0\n      (ii)      Dollar value of recommendations that             0              0\n                were not agreed to by management\nD               For which no management decision\n                has been made by the end of the\n                                                                 1           132\n                reporting period\n                Reports for which no management\n                decision was made within six months\n                                                                 1           132\n                of issuance\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                AP R I L 2 9 , 2 0 0 5\n\x0c                                                                                PAGE 13\n\n\n\n\n           Reports with No Management Decisions\nA management decision has not yet been made on our recommendation that $132,000 be\nput to better use (Audit No. 376, Telephone Card Program, summarized in a previous semi-\nannual report).\n\n\n\n                     Revised Management Decisions\nNo management decisions were revised during the period.\n\n\n\n           Agreement with Significant Management\n                         Decisions\nThe Office of Inspector General agrees with all significant management decisions regarding\naudit recommendations.\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N               AP R I L 2 9 , 2 0 0 5\n\x0c                   MANAGEMENT RESPONSE OF\n           THE SECURITIES AND EXCHANGE COMMISSION\n ACCOMPANYING THE SEMIANNUAL REPORT OF THE INSPECTOR GENERAL\n      FOR THE PERIOD OCTOBER 1, 2004 THROUGH MARCH 31, 2005\n\n\nIntroduction\n\nThe Semiannual Report of the Inspector General (IG) of the Securities and Exchange\nCommission (SEC) was submitted to the Chairman on April 29, 2005 as required by the\nInspector General Act of 1978, as amended. The report has been reviewed by the Managing\nExecutive for Operations, Executive Director, General Counsel, and Director of the Division of\nEnforcement. The Management Response is based on their views and consultation with the\nChairman.\n\nThe Management Response is divided into four sections to reflect the specific requirements\nlisted in Section 5(b) of the Inspector General Act of 1978, as amended.\n\n                                       Section I\n                  Comments Keyed to Significant Sections of the IG Report\n\nA. Audit Program\n\n     During the reporting period, the IG issued ten audit reports, one special project report.\n     Management generally concurred with the findings and recommendations in the IG\xe2\x80\x99s\n     reports.\n\n     In addition to audits performed by the agency\xe2\x80\x99s IG, the Government Accountability Office\n     (GAO) actively reviewed program and administrative functions of the SEC. A complete\n     listing of all GAO audit activity involving the SEC is attached as Appendix A.\n\nB.   Response to Significant Problems\n\n     No new significant problems were identified by the IG during this reporting period.\n\nC. Response to Significant Problems Previously Identified\n\n     Financial Management System Controls\n\n     The IG\xe2\x80\x99s Semiannual Report continues to identify the financial management exceptions\n     reported in both the SEC\xe2\x80\x99s Federal Managers\xe2\x80\x99 Financial Integrity Act certification and a\n     contractor\xe2\x80\x99s audit of Commission financial management system controls as a significant\n     problem for the Commission. Most of the recommendations have been addressed in\n     preparation for the Commission\xe2\x80\x99s financial statement audit. For example, the\n     recommendations to strengthen internal controls and financial reporting on sensitive and\n\x0c   accountable property have been implemented. A brief description of recent SEC actions to\n   strengthen IT security and accounting and control for disgorgement funds follows.\n\n       \xe2\x80\xa2   The SEC continues to make progress in its IT security program. Over the past\n           several months, the Office of Information Technology (OIT) has been working\n           internally as well as consulting with the GAO to develop an action plan to further\n           strengthen the agency\xe2\x80\x99s information security program. In addition, among other\n           things, the office has established a certification and accreditation team, which is\n           performing certifications on major Commission applications, and has developed\n           and implemented an integrated security monitoring capability and a detailed\n           remediation plan to address a series of known security issues uncovered during a\n           recent GAO audit. By June 2006, the SEC will implement corrective actions for\n           specific control weaknesses in the IT security area according to a quarter-by-quarter\n           timeline.\n\n       \xe2\x80\xa2   With respect to accounting and controls for disgorgement funds, the SEC has made\n           significant progress in this area and continuing efforts to strengthen these operations\n           remains an important programmatic and financial management initiative. During\n           fiscal 2005 the staff will complete a comprehensive review of files and data and\n           review and strengthen policies and procedures. It is anticipated that consistent\n           application of strengthened internal controls and potentially some limited redesign\n           of the program\xe2\x80\x99s existing management information system will be adequate to\n           resolve the weakness in fiscal 2006. However, replacement of the current system\n           and a more thorough reexamination of the relevant business processes will provide\n           more effective assurance, and in fiscal 2006 the SEC will complete a requirements\n           analysis as the first phase of the multi-year project to replace the system.\n\n   Information Resources Management\n\n   SEC management continues to make progress in its information resources management\n   program. During the reporting period, among other things, OIT instituted (1) an IT policy\n   framework to facilitate implementing, managing, and enforcing SEC-wide and OIT-specific\n   IT governance responsibilities, workflows, and activities and (2) an integrated IT capital\n   planning and investment control process to facilitate program-oriented budgeting, program\n   planning and execution, and performance measurement.\n\nD. IG Recommendations Concerning Use of Funds\n\n   On November 17, 2003, the IG issued a report concerning the Commission\xe2\x80\x99s telephone card\n   program. During the review, the IG found that the General Services Administration had\n   incorrectly billed the Commission approximately $132,000 for unused telephone lines. The\n   SEC\xe2\x80\x99s Office of Financial Management followed up on this matter and determined that\n   equipment and programming changes requested by the SEC caused the increase in the cost\n   of service. No refund is due to the Commission.\n\n                                              2\n\x0cE.   Reports with No Management Decisions\n\n     Management decisions have been made on all audits issued prior to the beginning of the\n     reporting period (October 1, 2004).\n\nF.   Revised Management Decisions\n\n     No management decisions were revised during the reporting period.\n\n\n\n\n                                               3\n\x0cSEC Management Response to\nSemiannual IG Report\nOctober 1, 2004 \xe2\x80\x93 March 31, 2005\n\n\n                                          SECTION II\n                                       Disallowed Costs\n                                      As of March 31, 2005\n\n\n                                                                      Dollar Value\n                                                             Number   (in thousands)\n\nA.    For which final action has\n      not been taken by the\n      commencement of the\n      reporting period                                        0              $0\n\nB.    On which management decisions\n      were made during the reporting\n      period                                                  0              $0\n\n      (Subtotal A+B)                                          0              $0\n\nC.    For which final action was\n      taken during the reporting\n      period                                                  0              $0\n\n      (i)    Recovered by management                          0              $0\n\n      (ii)   Disallowed by management                         0              $0\n\nD.    For which no final action has\n      been taken by the end of the\n      reporting period                                        0              $0\n\n\n\n\n                                               4\n\x0cSEC Management Response to\nSemiannual IG Report\nOctober 1, 2004 \xe2\x80\x93 March 31, 2005\n\n\n                                          SECTION III\n                                     Funds Put to Better Use\n                                      As of March 31, 2005\n\n\n                                                                  Dollar Value\n                                                         Number   (in thousands)\n\nA.    For which final action has\n      not been taken by the\n      commencement of the\n      reporting period                                     0             $0\n\nB.    On which management decisions\n      were made during the reporting\n      period                                               0             $0\n\nC.    For which final action was\n      taken during the reporting\n      period:\n\n      (i)    Dollar value of recom-\n             mendations that were\n             agreed to by management                       0             $0\n\n      (ii)   Dollar value of recom-\n             mendations that management\n             has subsequently concluded\n             should/could not be\n             implemented or completed                      1             $132\n\nD.    For which no final action has been\n      taken by the end of the reporting period             0             $0\n\n\n\n\n                                                 5\n\x0c                                                                                 SEC Management Response to\n                                                                                 Semiannual IG Report\n                                                                                 October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                  SECTION IV\n                                      Open Audit Reports Over One Year Old\n                                             As of March 31, 2005\n\n\n                                         Funds Put to\n                                           Better Use         Questioned Costs\nAudit #   Audit Title        Issued      (in thousands)        (in thousands)    Reason Final Action Not Taken\n\n220       IRM Planning and\n          Execution          3/26/1996       $0                     $0           New staff members are onboard and\n                                                                                 currently reviewing and revising,\n                                                                                 as appropriate, all IT-related\n                                                                                 policies. A capstone IRM regulation\n                                                                                 is expected to be developed by\n                                                                                 calendar year-end.\n\n243       SECOA Local Area\n          Network            3/21/1997       $0                     $0           A major effort is underway to certify and\n                                                                                 accredit existing major applications and\n                                                                                 general support systems. This effort is\n                                                                                 expected to be completed in 2006.\n\n\n\n\n                                                          6\n\x0c                                                                                          SEC Management Response to\n                                                                                          Semiannual IG Report\n                                                                                          October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                           SECTION IV\n                                               Open Audit Reports Over One Year Old\n                                                      As of March 31, 2005\n\n\n                                                 Funds Put to\n                                                   Better Use          Questioned Costs\nAudit #   Audit Title               Issued       (in thousands)         (in thousands)     Reason Final Action Not Taken\n\n257       Client Server             9/9/1997         $0                      $0            See explanation for audit #220 above.\n\n309       Telecommunications\n          Vulnerabilities           3/31/2000        $0                      $0            Responsibility for telecommunications\n                                                                                           security has been reassigned to the Office\n                                                                                           of Information Technology. A baseline scan\n                                                                                           of telecommunications security will be\n                                                                                           conducted in August. The scan will be\n                                                                                           evaluated against policies and procedures.\n                                                                                           Needed improvements will be completed in\n                                                                                           fiscal 2006.\n\n320       General Computer Controls 12/26/2000         $0                    $0            The recommendations are being addressed\n                                                                                           as part of the remediation efforts underway\n                                                                                           as a result of the audit of the SEC\xe2\x80\x99s financial\n                                                                                           statements.\n\n                                                                                          SEC Management Response to\n                                                                   7\n\x0c                                                                                      Semiannual IG Report\n                                                                                      October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                       SECTION IV\n                                           Open Audit Reports Over One Year Old\n                                                  As of March 31, 2005\n\n\n                                              Funds Put to\n                                                Better Use         Questioned Costs\nAudit #   Audit Title             Issued      (in thousands)        (in thousands)     Reason Final Action Not Taken\n\n327       General Computer\n          Controls\xe2\x80\x94Regions        2/28/2001       $0                     $0            See explanation for audit #220.\n\n330       Real Property Leasing   5/31/2001       $0                     $0            The revised leasing regulation is being\n                                                                                       reviewed by the Office of General\n                                                                                       Counsel.\n\n337       IT Project Management   1/24/2002       $0                     $0            The Office of Information Technology\n                                                                                       has partnered with George Washington\n                                                                                       University to develop a more advanced\n                                                                                       methodology for performance acquisition\n                                                                                       analysis. Efforts are underway to collect\n                                                                                       baseline data.\n\n\n\n\n                                                               8\n\x0c                                                                                          SEC Management Response to\n                                                                                          Semiannual IG Report\n                                                                                          October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                           SECTION IV\n                                               Open Audit Reports Over One Year Old\n                                                      As of March 31, 2005\n\n\n                                                 Funds Put to\n                                                   Better Use          Questioned Costs\nAudit #   Audit Title               Issued       (in thousands)         (in thousands)     Reason Final Action Not Taken\n\n346       Commission Oversight of\n            NAFI                    3/7/2002           $0                   $0             A policy document concerning the\n                                                                                           Recreation and Welfare Association is\n                                                                                           being reviewed by the Office of General\n                                                                                           Counsel.\n\n350       Administration of IT\n          Contracts                 8/28/2002          $0                    $0            See explanation for audit #337.\n\n351       EDGAR Utility to\n          Commission Staff          1/15/2003          $0                    $0            Post-acceptance corrections will be\n                                                                                           addressed in 2005. The outcome will\n                                                                                           become part of the requirements for a\n                                                                                           follow-on contract, which should be signed\n                                                                                           in 2006.\n\n\n\n                                                                   9\n\x0c                                                                                            SEC Management Response to\n                                                                                            Semiannual IG Report\n                                                                                            October 1, 2004 \xe2\x80\x93 March 31, 1005\n\n\n                                                            SECTION IV\n                                                Open Audit Reports Over One Year Old\n                                                       As of March 31, 2005\n\n\n                                                Funds Put to\n                                                  Better Use          Questioned Costs\nAudit #   Audit Title               Issued      (in thousands)         (in thousands)    Reason Final Action Not Taken\n\n353       Regional Telecommuni-\n          cations Security          8/20/2002       $0                      $0           See explanation for audit #309.\n\n354       Broker-dealer Risk\n          Assessment Program        8/13/2002         $0                    $0           The SEC\xe2\x80\x99s risk assessment rules are being\n                                                                                         revised to better reflect the current state of\n                                                                                         the industry and target those firms posing\n                                                                                         risks to investors and the broader financial\n                                                                                         financial system.\n\n361       Commission Web Security   9/30/2002         $0                    $0           See explanation for audit #320.\n\n\n\n\n                                                                 10\n\x0c                                                                                          SEC Management Response to\n                                                                                          Semiannual IG Report\n                                                                                          October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                          SECTION IV\n                                              Open Audit Reports Over One Year Old\n                                                     As of March 31, 2005\n\n\n                                                 Funds Put to\n                                                   Better Use          Questioned Costs\nAudit #   Audit Title                Issued      (in thousands)         (in thousands)    Reason Final Action Not Taken\n\n362       Financial Management\n          System Controls            3/27/2003         $0                    $0           See explanation for #320.\n\n365       IT Capital Investment\n          Decision-making Followup   3/29/2004         $0                    $0           A charter for the SEC\xe2\x80\x99s Capital Planning\n                                                                                          Committee and several policy documents\n                                                                                          are being reviewed by the Office of\n                                                                                          General Counsel.\n368       SEC Recreation and\n          Welfare Asso. Financial\n          Management                 7/31/2003         $0                    $0           See explanation for audit #346.\n\n371       Small Business Reg D\n          Exemption Process          3/31/2004         $0                    $0           Most of the recommendations have\n                                                                                          been implemented. The two remaining\n                                                                                          recommendations are being addressed\n                                                                                          as part of a rulemaking initiative.\n\n                                                                  11\n\x0c                                                                                         SEC Management Response to\n                                                                                         Semiannual IG Report\n                                                                                         October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                        SECTION IV\n                                            Open Audit Reports Over One Year Old\n                                                   As of March 31, 2005\n\n\n                                                Funds Put to\n                                                  Better Use          Questioned Costs\nAudit #   Audit Title              Issued       (in thousands)         (in thousands)       Reason Final Action Not Taken\n\n372       Regulation of Public\n          Utility Companies        10/20/2003         $0                    $0              The staff is evaluating the legal\n                                                                                            implications of posting certain\n                                                                                            information on a public website.\n\n376       Telephone Card Program   11/17/2003         $0                    $0              The audit findings and recommendations\n                                                                                            are being reviewed in light of recent\n                                                                                            changes to the SEC\xe2\x80\x99s telecommunications\n                                                                                            program.\n\n377       Lost and Stolen\n          Securities Program       3/31/2004          $0                    $0              Certain issues related to the program are\n                                                                                            under review by the LSSP Advisory\n                                                                                            Board.\n\nM22       Rural Office Location\n          Policy                   3/28/2002          $0                    $0              See explanation for #330.\n\n                                                                 12\n\x0c                                                                                            SEC Management Response to\n                                                                                            Semiannual IG Report\n                                                                                            October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                           SECTION IV\n                                               Open Audit Reports Over One Year Old\n                                                      As of March 31, 2005\n\n\n                                                   Funds Put to\n                                                     Better Use          Questioned Costs\nAudit #   Audit Title                 Issued       (in thousands)         (in thousands)       Reason Final Action Not Taken\n\nM27       NRSI Password\n          Management                  1/29/2003          $0                    $0              See explanation for audit #361.\n\nM30       Rural Relocation Policy--\n          Followup                    6/19/2003          $0                    $0              See explanation for #330.\n\n\nM33       Unclaimed Commission\n          Property                    11/12/2003         $0                    $0              Efforts are underway to determine\n                                                                                               whether there are any legal restrictions\n                                                                                               to implementing the one remaining\n                                                                                               recommendation.\n\n\n\n\n                                                                    13\n\x0c                                                                                            SEC Management Response to\n                                                                                            Semiannual IG Report\n                                                                                            October 1, 2004 \xe2\x80\x93 March 31, 2005\n\n                                                            SECTION IV\n                                                Open Audit Reports Over One Year Old\n                                                       As of March 31, 2005\n\n\n                                                   Funds Put to\n                                                     Better Use          Questioned Costs\nAudit #   Audit Title                  Issued      (in thousands)         (in thousands)       Reason Final Action Not Taken\n\nM35       Commission-wide Use of\n          X-Ray Scanners               2/10/2004         $0                    $0              Funds have been budgeted for more\n                                                                                               training later this year on the use of the\n                                                                                               x-ray machines.\n\nM36       Priority to Rural Areas of\n          New Offices                  3/29/2004         $0                    $0              See explanation for audit #M22.\n\n\n\n\n                                                                    14\n\x0c                                                                   APPENDIX A\n\n\n                       Government Accountability Office Audit Activity\n                      Involving the Securities and Exchange Commission\n\n\nReports Completed During the Reporting Period\n\n1.     Financial Regulation: Industry Changes Prompt Need to Reconsider U.S. Regulatory\n       Structure, GAO-05-61 (10/2004)\n\n2.     Loan Commitments: Issues Related to Pricing, Trading, and Accounting, GAO-05-131\n       (2/2005)\n\n3.     Tax Shelters: Services Provided by External Auditors, GAO-05-171 (2/2005)\n\n4.     Credit Reporting Literacy: Consumers Understood the Basics but Could Benefit from\n       Targeted Educational Efforts, GAO-05-223 (3/2005)\n\n5.     Information Security: Securities and Exchange Commission Needs to Address Weak\n       Controls Over Financial and Sensitive Data, GAO-05-262 (3/2005)\n\n6.     Securities and Exchange Commission Human Capital Survey, GAO-05-118R (11/2004)\n\n\nProjects Active as of March 31, 2005\n\n1.   Workforce Planning (250234). A review of the SEC\xe2\x80\x99s strategic workforce planning efforts,\n     including the extent to which SEC has (1) established a workforce planning process that is\n     aligned with its mission and programmatic goals and (2) developed and implemented long-\n     term strategies for acquiring, developing, and retaining staff necessary to achieve these\n     goals.\n\n2.   Social Security Numbers and Third Party Contracting (130395). A review of the uses and\n     protections of social security numbers.\n\n3.   Whois Database (310724). A study to (1) determine the prevalence of patently false\n     contact data in the Whois database for \xe2\x80\x9clegacy\xe2\x80\x9d generic top-level domains, (2) report the\n     steps the Commerce Department and the Internet Corporation for Assigned Names and\n     Numbers have taken to ensure the accuracy of contact data in the database, and (3)\n     determine whether tools and technologies are available to help reduce the amount of false\n     information that is entered into the database.\n\n4.   Industrial Loan Corporations (250202). To enrich its analysis of industrial loan\n     corporations, GAO is consulting with SEC to obtain an understanding of the supervision of\n     securities firms and their holding companies.\n\n5.   Military Insurance Sales (250166). A review of the financial products that are commonly\n     marketed to military service members, the regulatory oversight associated with marketing\n     and sale of these products on military installations, the regulatory oversight and consumer\n\x0c      protections afforded military personnel compared to those afforded the general public, and\n      how regulators assess the suitability of such products.\n\n6.    Pay Systems (842157). A review of public and private sector organizations\xe2\x80\x99 experiences in\n      designing and implementing pay systems that are intended to be performance-based and\n      market sensitive. Through meetings with SEC, GAO plans to determine if SEC\xe2\x80\x99s pay\n      system could be used as a possible example to illustrate how a specific design or\n      implementation issue is being addressed.\n\n7.    Student Loan Repayment Program (450338). An examination of the reasons selected\n      agencies are using or not using the program, how the agencies view the benefits of the\n      program compared to other recruitment and retention flexibilities, how the program is\n      being administered, and the results and lessons learned, if any from using the program.\n\n8.    EEO Leadership Survey (450307). A government-wide survey of (1) how agencies are\n      structured to meet EEO, affirmative employment and workforce diversity requirements, (2)\n      the extent to which human capital and EEO managers perceive that these requirements\n      contribute to EEO, affirmative employment, and workforce diversity objectives, and (3)\n      how human capital and EEO managers view the guidance and feedback central leadership\n      agencies provide.\n\n9.    Information Security (250218). GAO is completing assessments at key financial market\n      organizations of the information security used to control access to important information\n      networks and systems. After completing the assessments, GAO plans to brief SEC on its\n      findings and to provide SEC with an opportunity to comment on any products it prepares.\n\n10.   Federal Energy Programs (360415). A review of how the Federal Government is working\n      to meet the nation\xe2\x80\x99s energy needs. GAO\xe2\x80\x99s contact with SEC will focus on issues relating to\n      oversight of the Public Utility Holding Company Act and any involvement SEC has had\n      with the National Energy Policy.\n\n11.   Effects of Sarbanes-Oxley on Small Business (250224). A review of (1) the effects of the\n      Act on small companies, (2) the extent to which financial institutions and states are\n      requiring small privately-held companies to comply with provisions of the Act and the\n      corresponding impacts, and (3) the impact, if any, the Act has had on small accounting and\n      auditing firms.\n\n12.   Disgorgement and Fines (250214). A follow-up on the status of various reform efforts,\n      such as the SEC\xe2\x80\x99s efforts in improving and managing the disgorgements and fines data\n      tracking system, and the status of collection rates. Also, an assessment of what extent the\n      SEC has implemented Section 308 (Fair Funds Provision) of the Sarbanes-Oxley Act, and\n      any other legislative or regulatory actions that assist efforts to collect penalties and\n      disgorgements.\n\n\n\n                                                2\n\x0c13.   Global Social Responsibility (320271). A study of (1) the definition of corporate social\n      responsibility and global corporate social responsibility, (2) the role, if any, that federal\n      agencies have in promoting or monitoring global corporate social responsibility, and (3)\n      whether federal programs or policies either promote or undermine U.S. company global\n      corporate social responsibility efforts.\n\n14.   PUHCA (250213). A review of the SEC\xe2\x80\x99s administration and enforcement of the Public\n      Utility Holding Company Act of 1935. Specifically, an assessment of the Office of Public\n      Utility Regulation\xe2\x80\x99s processes for reviewing claims of exemptions, assessing registered\n      holding companies, and issuing no-action letters, and how the Commission determines\n      whether companies exert controlling influence over a public utility holding company.\n\n15.   Tax Treatment of Large Settlements (450296). A review of the tax treatment of large\n      settlements reached by federal regulatory and oversight agencies.\n\n16.   Trading Abuse Detection (250200). A review of the information systems and methods\n      securities regulators could use to detect late trading and market timing in mutual fund\n      shares.\n\n17.   Mutual Fund Enforcement (250199). A review of the SEC\xe2\x80\x99s enforcement activities and\n      capabilities related to the mutual fund industry.\n\n18.   Decimalization (250195). A review of the impact decimalization has had on the securities\n      markets, securities market participants, and institutional and retail investors.\n\n19.   Mutual Fund Inspections (250185). A review to determine whether the scope and conduct\n      of broker inspections is adequate with respect to the sales of mutual funds and other issues\n      relating to broker-dealer sales of mutual funds.\n\n20.   Implementation of USA Patriot Act\xe2\x80\x99s Anti-money Laundering Provisions (250179). A\n      review of (1) the status of implementation of sections 326 and 314, (2) the Treasury\xe2\x80\x99s and\n      regulators\xe2\x80\x99 procedures for assessing compliance and enforcement, (3) plans to sustain\n      efforts to educate the industry about the new regulations, and (4) extent to which regulators\n      have revised examination guidance and applied it.\n\n21.   Career Appointments of Former Political Appointees (450274). A government-wide\n      review of executive branch agencies and departments to assess career appointments of\n      former political appointees.\n\n22. FY 2004 Financial Statement Audit (198241). An audit of the SEC\xe2\x80\x99s fiscal year 2004\n    financial statements.\n\n\n\n\n                                                  3\n\x0c'